Most nonprofits will be asked about vulnerability scanning when they renew cybersecurity liability insurance or complete an annual audit. Do you know what it means and what you should do to comply? 

The takeaways: 

• There is no one-size-fits-all vulnerability scanning app for your entire organization. You will need to do vulnerability scanning on various systems and the scanning will be different. 
• As part of your incident response planning you should have an inventory of your general vulnerabilities – website, any custom apps, any customized anything, and then other apps and tools. Check in with your IT team and stakeholders. 
• If you are being asked to check off a box on your cyberliability insurance or part of your annual financial audit, talk with the auditors or your insurance broker to get more clarity.
• In addition to checking this necessary box, vulnerability scanning is an important layer of protection to have around your organization and your mission. Take it seriously, but realize that as a buzzy term, you may be approached by vendors overselling what you need. 
• A trusted IT partner – whether a board member, IT director, or outsourced IT provider – can help you wade through the options and choose the one that fits your budget, risk profile, and the specifics of your IT set up.

Vulnerability scanning is the process of using automated tools to scan for weaknesses in computer systems, apps, networks, and platforms. It is particularly necessary for websites, to avoid falling victim to hacks and ransom extortion. It is a proactive approach to finding these flaws and vulnerabilities before outsiders and hackers can. Doing vulnerability scanning will help your nonprofit learn where risks may hide, and allow you to take proactive steps to mitigate risks and correct errors in configuration. Vulnerability scanning providers will need access to your systems and will provide a comprehensive report on vulnerabilities found, often arranged by most immediate risks or risks most potentially damaging.

Many security regulations and standards require periodic vulnerability scanning. Nonprofits are being asked to complete vulnerability scanning as part of renewing cyberliability insurance or complying with enhanced annual audits as part of SAS145 guidelines. Vulnerability scanning helps prioritize remediation efforts by highlighting the most critical vulnerabilities, and should be a continual process renewed periodically to help improve nonprofits’ security posture. 

Many providers will use the label “vulnerability scanning” so it is important to understand what is meant by this term and what the provider will do and report on. There is no one universal vulnerability scanner. Different systems must be scanned with their own automation. 

If you have questions that aren’t answered by this podcast, talk to us! On our site we have free resources on basic cybersecurity and IT governance policies. You can use our downloadable Cybersecurity Playbook or other online resources, or schedule time with our Cybersecurity Expert Matthew Eshleman to ask your questions.

_______________________________
Start a conversation :)

• Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
• email Carolyn at cwoodard@communityit.com
• on LinkedIn

Thanks for listening.